If you can't say anything nice, kvetch about it. Miscellaneous rants, shames and (very rarely) praises of developments in the area of privacy, data protection and cyberlaw.

Thursday, 15 July 2010

An opening salvo?

After many weeks of joyful distractions, Matron just spent a few days concentrating on the day job and, among other things, dutifully worked her way through the EU Working Party’s Report on the implementation of the Data Retention Directive. At the risk of teaching grandmothers to suck the proverbial eggs, that is the small innocuous piece of EU legislation that requires EU member states to impose an obligation on its telco providers and ISPs to retain all data relating to the telephone call made and e-mails sent by us, the Great Unwashed. Sender, addressee, time of transmission, location of transmission – you get the picture. As will the law enforcement authorities and selected others who may access that data. The full picture. Of all of us.

While the WP’s report does not include the comprehensive condemnation of the Directive that many were hoping for, it makes for interesting reading. Of course, the easy explanation for the lack of condemnation may possibly be that there was nothing to condemn as yet. According to the report, only a few member states did provide the requested information regarding the number of requests submitted to providers, the cases where the requested information was provided and those where the provider was unable to make available the requested data. Nor is data available about the time elapsed between the date on which the data were stored and the date on which the authorities requested transmission of said data. As the WP rightly points out, this lack of information makes it somewhat difficult to evaluate a) whether the prescribed retention periods are realistic and b) whether the mandatory retention of traffic data is actually necessary to combat crime and terrorism. In an ideal world both of these questions should obviously have been asked before the Directive was adopted, but when did evidence-based policy making last get in the way of a good lobbying campaign (the British DEAct debacle is a point in case)?

The fact that the questions are asked only now, when the Commission is seriously considering either revoking or at least substantially amending the Directive, may make for some amusing debates. Matron wonders in whose favour this lack of information will be interpreted. Will member states pipe up that it is far too early to even consider a revocation, given that we do not yet know, whether the sodding thing worked in the first place? Or will the Commission - as it should properly do - remind law enforcement authorities that the burden of proof of showing that retention is necessary is on them. No statistics, no further retention? That would be the day.

But while we wait for this issue to resolved, here’s a short summary of what Matron considers to be the highlights of today’s report:

1. Very interestingly, the WP interprets the DR Directive as a derogation from the general requirement on providers to erase all traffic data when it is no longer required for billing purposes. It takes this to mean that the list of data to be retained under Article 5 of the Directive is exhaustive and that member states must not require ISPs to retain any additional data categories not mentioned in the Directive. This is likely to come as a bit of a shock to those member states which, like the UK, have shown an interest in using domestic law to impose retention requirements for traffic data generated by users of social networking services and search engines. Of course, things have changed even in the UK and we live in an entirely new political environment now. But Matron seems to remember the write up of a meeting of a parliamentary committee circa 2008 where laws of that nature were demanded by a number of Tory MPs and peers. Despite the coalitions promise that it “will end the storage of internet and email records without good reason”, it all depends – as better minds than Matron’s have already pointed out – on how you define “good reason”.

2. Although, the DR Directive gives member states a choice to impose retention periods from 6 to 24 months, 78% of member states actually require the retention for 12 months or longer. The WP seems quite concerned about the discrepancies in retention periods between the different member states as this impacts on the principle whereby EU citizens “can enjoy throughout the European Union the same level of protection”. It also means that the costs to be borne by providers can differ considerably from country to country which, in turn, may affect competition. Matron is sure that this fact was pointed out to the law makers when the Directive was first adopted but, of course, she may be wrong here.

The interesting question arising from all this is this: if the WP favours a harmonised (i.e. applying in all member states), single (applying to all data categories) and shorter retention term and given that the German Constitutional Court has already quite categorically stated that it deems anything above six months to be unconstitutional under German law, is this the best indication yet that we are heading for a harmonised 6 months retention period? Not ideal, but definitely “bird-in-the-hand” material.

Scarily, the WP also found that there were some serious violations of existing laws by the provider. First, it found that in some cases data is actually stored for longer periods than those set forth in the DR directive. In some cases data was retained for as long as 36 months, and in one case the storage period was found to amount to 10 years. Secondly, the WP found that one EU member state (which was not named) actually used DR Directive to retain the content of SMS messages to which the security services were then given access. Matron can only hope that infringement procedures will be commenced against that member state forthwith.

3. It seems that the security measures taken by individual providers vary wildly with bigger providers generally found to employ higher security measures. No surprise there, given the cost of putting in place such measure, but it’s nice to see that conclusion in black and white nonetheless.

4. The extent to which, and the way in which, access is granted to law enforcement and other public authorities also seems to vary. So much so that the WP calls for inclusion of provisions in a revised Directive that would regulate the modalities of access. Among other things, it recommends that:

a) data should only be accessed by duly authorised staff

b) strong access control to the retained data should be maintained; and

c) detailed tracking of accesses and processing operations by way of log retention, via logs recording at least user identity, access time, file acceded should be carried out.

Another announcement from the Department of the Bleedin' Obvious then but - in the WP’s defence - it has always advocated that access to retained data should be addressed in the same legal instrument as retention. But on this, as on many other issues, opponents were outmanoeuvred during what is still the shortest EU legislative procedure on record. Which plays no small part in the current problems those opponents have in persuading a court – any court – to accept the Directive and its implementing laws for judicial review to establish once and for all its human rights credentials. Maybe, just maybe, the EU institutions will see sense when negotiations of the Directive are opened up once again. And maybe the porcupine flying squad will presently take off at the back of Matron’s garden.

5. We all felt it on some level of inner consciousness, but now we know for sure: the definition of what constitutes “serious crime” (for the prevention of which data may be retained) is different in each member state. Which means that different member states have taken different approaches to the purposes for which retained data may be accessed (unless, of course, you live in the UK or in Germany, both of which have dispensed with the “serious” bit altogether – albeit that Germany was told “nonononono” by its Constitutional Court. No such luck in Britain). The WP recommends that, at the very least, each member state should have an exhaustive list of crimes that it considers to be “serious” and that, at best, this list should be harmonised at European level.

6. The WP thinks that the decision of whether or not law enforcement authorities should be given access to retained data should be up to judicial authorities. It seems a reasonable demand, but, of course, it would generally exclude all those members of the executive (like ministers, police superintendents, senior officers and duty managers) that are currently persons designated to request access to traffic data under the UK Regulation of Investigatory Powers (Communications Data) Order 2010. So what are the chances of this finding its way into a revised Directive? Who knows.

Overall, Matron can't help thinking that the WP’s report reads like a giant exercise in “I told you so”. Will it be enough? Do we have the right narrative this time round? Matron isn't sure. But it’s a start. An opening salvo. Next!